Skip to content

fix(security): bump PyJWT and mlflow for CVE remediation#2752

Merged
terrykong merged 6 commits into
mainfrom
kajalj/cve-bumps-june-2026-2
Jun 10, 2026
Merged

fix(security): bump PyJWT and mlflow for CVE remediation#2752
terrykong merged 6 commits into
mainfrom
kajalj/cve-bumps-june-2026-2

Conversation

@kajalj22

@kajalj22 kajalj22 commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Addresses CVEs from the DT nSpect container scan on nvcr.io/nvidian/nemo-rl:nightly.

Package Before After
PyJWT 2.12.1 2.13.0
mlflow 3.12.0 3.13.0

🤖 Generated with Claude Code

kajalj22 and others added 2 commits June 9, 2026 18:07
@kajalj22 @claude
fix(security): bump PyJWT to >=2.13.0 for CVE remediation
fb7f162 
Bumps the PyJWT floor from 2.12.0 to 2.13.0 to pick up the latest
security fix.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Kajal Jain <kajalj@nvidia.com>
@kajalj22 @claude
fix(security): bump mlflow to >=3.13.0 for CVE remediation
3edea37 
Bumps mlflow floor from 3.12.0 to 3.13.0 (stable release) to pick up
the latest security fixes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Kajal Jain <kajalj@nvidia.com>
@copy-pr-bot

copy-pr-bot Bot commented Jun 9, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

kajalj22 and others added 2 commits June 9, 2026 18:14
@kajalj22
Merge remote-tracking branch 'origin/main' into kajalj/cve-bumps-june…
3ddbec5 
…-2026-2
@kajalj22 @claude
fix(security): remove CVE number from inline comment
3dff7ac 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Kajal Jain <kajalj@nvidia.com>
@kajalj22

kajalj22 commented Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

/ok to test 3dff7ac

@kajalj22

kajalj22 commented Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

/ok to test b42da5f

@kajalj22 kajalj22 added the CI:L1 Run doctests, unit tests, and functional tests label Jun 9, 2026
@kajalj22 kajalj22 marked this pull request as ready for review June 9, 2026 23:28
@kajalj22 kajalj22 requested a review from a team as a code owner June 9, 2026 23:28
@terrykong terrykong enabled auto-merge (squash) June 9, 2026 23:43
@kajalj22

kajalj22 commented Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

/ok to test 0527155

@terrykong terrykong merged commit 7556ddc into main Jun 10, 2026
120 of 122 checks passed
@terrykong terrykong deleted the kajalj/cve-bumps-june-2026-2 branch June 10, 2026 18:53
sharonyu-115 added a commit to sharonyu-115/RL that referenced this pull request Jun 12, 2026
@sharonyu-115 @claude
build: regenerate uv.lock after rebase onto main (5034671)
a37143f 
Reapply gemma4 dependency overrides (transformers 5.5.0, vllm 0.20.0,
deep_ep 29d31c09) on top of upstream's lock baseline, which now carries
the PyJWT/mlflow CVE bumps (NVIDIA-NeMo#2752). Resolved 445 packages in-container.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Shuang Yu <shuangy@nvidia.com>
pengdurice pushed a commit to pengdurice/RL that referenced this pull request Jun 12, 2026
@kajalj22 @claude @pengdurice
fix(security): bump PyJWT and mlflow for CVE remediation (NVIDIA-NeMo…
77ade96 
…#2752)

Signed-off-by: Kajal Jain <kajalj@nvidia.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
sharonyu-115 added a commit to sharonyu-115/RL that referenced this pull request Jun 13, 2026
@sharonyu-115 @claude
build: regenerate uv.lock after rebase onto main (5034671)
56c75f8 
Reapply gemma4 dependency overrides (transformers 5.5.0, vllm 0.20.0,
deep_ep 29d31c09) on top of upstream's lock baseline, which now carries
the PyJWT/mlflow CVE bumps (NVIDIA-NeMo#2752). Resolved 445 packages in-container.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Shuang Yu <shuangy@nvidia.com>
sharonyu-115 added a commit to sharonyu-115/RL that referenced this pull request Jun 13, 2026
@sharonyu-115 @claude
build: regenerate uv.lock after rebase onto main (5034671)
c37df4a 
Reapply gemma4 dependency overrides (transformers 5.5.0, vllm 0.20.0,
deep_ep 29d31c09) on top of upstream's lock baseline, which now carries
the PyJWT/mlflow CVE bumps (NVIDIA-NeMo#2752). Resolved 445 packages in-container.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Shuang Yu <shuangy@nvidia.com>
sharonyu-115 added a commit to sharonyu-115/RL that referenced this pull request Jun 14, 2026
@sharonyu-115 @claude
build: regenerate uv.lock after rebase onto main (5034671)
e27d469 
Reapply gemma4 dependency overrides (transformers 5.5.0, vllm 0.20.0,
deep_ep 29d31c09) on top of upstream's lock baseline, which now carries
the PyJWT/mlflow CVE bumps (NVIDIA-NeMo#2752). Resolved 445 packages in-container.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Shuang Yu <shuangy@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@terrykong terrykong terrykong approved these changes

@chtruong814 chtruong814 chtruong814 approved these changes

Assignees

No one assigned

Labels

CI:L1 Run doctests, unit tests, and functional tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kajalj22 @terrykong @chtruong814